##// END OF EJS Templates
upstream » mercurial-mirror
RSS

Clone from https://www.mercurial-scm.org/repo/hg-all

tests: extract SSL certificates from test-https.t...
tests: extract SSL certificates from test-https.t They can be reused in SMTPS tests.
Yuya Nishihara - - Load All Authors

File last commit:

r29331:1e02d957 default
r29331:1e02d957 default
Show More
test-https.t
321 lines | 12.2 KiB | text/troff | Tads3Lexer
/ tests / test-https.t
History | Source | Raw |Copy content |Copy permalink
Matt Mackall
tests: replace exit 80 with #require
 r22046 #require serve ssl
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Matt Mackall
tests: replace exit 80 with #require
 r22046 Proper https client requires the built-in ssl from Python 2.6.
Mads Kiilerich
serve: fix https mode and add test...
 r12740
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 Make server certificates:
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ CERTSDIR="$TESTDIR/sslcerts"
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub.pem" >> server.pem
$ PRIV=`pwd`/server.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-not-yet.pem" > server-not-yet.pem
$ cat "$CERTSDIR/priv.pem" "$CERTSDIR/pub-expired.pem" > server-expired.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg init test
$ cd test
$ echo foo>foo
$ mkdir foo.d foo.d/bAr.hg.d foo.d/baR.d.hg
$ echo foo>foo.d/foo
$ echo bar>foo.d/bAr.hg.d/BaR
$ echo bar>foo.d/baR.d.hg/bAR
$ hg commit -A -m 1
adding foo
adding foo.d/bAr.hg.d/BaR
adding foo.d/baR.d.hg/bAR
adding foo.d/foo
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV
$ cat ../hg0.pid >> $DAEMON_PIDS
timeless
cacert: improve error report when web.cacert file does not exist
 r13544 cacert not found
$ hg in --config web.cacerts=no-such.pem https://localhost:$HGPORT/
abort: could not find web.cacerts: no-such.pem
[255]
Mads Kiilerich
serve: fix https mode and add test...
 r12740 Test server address cannot be reused
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 #if windows
$ hg serve -p $HGPORT --certificate=$PRIV 2>&1
Simon Heimberg
tests: remove glob from output lines containing no glob character
 r18682 abort: cannot start server at ':$HGPORT':
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 [255]
#else
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ hg serve -p $HGPORT --certificate=$PRIV 2>&1
abort: cannot start server at ':$HGPORT': Address already in use
[255]
Adrian Buehlmann
test-http and test-https: partially adapt for Windows
 r17023 #endif
Mads Kiilerich
serve: fix https mode and add test...
 r12740 $ cd ..
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 Our test cert is not signed by a trusted CA. It should fail to verify if
we are able to load CA certs.
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Yuya Nishihara
test-https: enable dummycert test only if Apple python is used (issue4500)...
 r24289 #if defaultcacerts
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 $ hg clone https://localhost:$HGPORT/ copy-pull
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575 [255]
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 #endif
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ DISABLECACERTS="--config devel.disableloaddefaultcerts=true"
Mads Kiilerich
ssl: on OS X, use a dummy cert to trick Python/OpenSSL to use system CA certs...
 r22575
Mads Kiilerich
serve: fix https mode and add test...
 r12740 clone via pull
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg clone https://localhost:$HGPORT/ copy-pull $DISABLECACERTS
Gregory Szorc
sslutil: make cert fingerprints messages more actionable...
 r29292 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
Mads Kiilerich
serve: fix https mode and add test...
 r12740 requesting all changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 4 changes to 4 files
updating to branch default
4 files updated, 0 files merged, 0 files removed, 0 files unresolved
$ hg verify -R copy-pull
checking changesets
checking manifests
crosschecking files in changesets and manifests
checking files
4 files, 1 changesets, 4 total revisions
$ cd test
$ echo bar > bar
$ hg commit -A -d '1 0' -m 2
adding bar
$ cd ..
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pull without cacert
Mads Kiilerich
serve: fix https mode and add test...
 r12740
$ cd copy-pull
$ echo '[hooks]' >> .hg/hgrc
Matt Mackall
tests: simplify printenv calls...
 r25478 $ echo "changegroup = printenv.py changegroup" >> .hg/hgrc
Gregory Szorc
sslutil: add devel.disableloaddefaultcerts to disable CA loading...
 r29288 $ hg pull $DISABLECACERTS
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: make cert fingerprints messages more actionable...
 r29292 warning: certificate for localhost not verified (set hostsecurity.localhost:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 or web.cacerts config settings)
Mads Kiilerich
serve: fix https mode and add test...
 r12740 searching for changes
adding changesets
adding manifests
adding file changes
added 1 changesets with 1 changes to 1 files
Mateusz Kwapich
hooks: add HG_NODE_LAST to txnclose and changegroup hook environments...
 r27739 changegroup hook: HG_NODE=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_NODE_LAST=5fed3813f7f5e1824344fdc9cf8f63bb662c292d HG_SOURCE=pull HG_TXNID=TXN:* HG_URL=https://localhost:$HGPORT/ (glob)
Mads Kiilerich
serve: fix https mode and add test...
 r12740 (run 'hg update' to get a working copy)
$ cd ..
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 cacert configured in local repo
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ cp copy-pull/.hg/hgrc copy-pull/.hg/hgrc.bu
$ echo "[web]" >> copy-pull/.hg/hgrc
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ echo "cacerts=$CERTSDIR/pub.pem" >> copy-pull/.hg/hgrc
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ hg -R copy-pull pull --traceback
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 $ mv copy-pull/.hg/hgrc.bu copy-pull/.hg/hgrc
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 cacert configured globally, also testing expansion of environment
variables in the filename
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
$ echo "[web]" >> $HGRCPATH
Eduard-Cristian Stefan
url: expand path for web.cacerts
 r13231 $ echo 'cacerts=$P/pub.pem' >> $HGRCPATH
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg -R copy-pull pull --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
https: use web.cacerts configuration from local repo to validate remote repo
 r13192
cacert mismatch
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
> https://127.0.0.1:$HGPORT/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://127.0.0.1:$HGPORT/
Mads Kiilerich
sslutil: show fingerprint when cacerts validation fails
 r15814 abort: 127.0.0.1 certificate error: certificate is for localhost
Gregory Szorc
sslutil: make cert fingerprints messages more actionable...
 r29292 (set hostsecurity.127.0.0.1:certfingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30 config setting or use --insecure to connect insecurely)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub.pem" \
> https://127.0.0.1:$HGPORT/ --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://127.0.0.1:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to 127.0.0.1 is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-other.pem" \
> --insecure
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Yuya Nishihara
url: add --insecure option to bypass verification of ssl certificates...
 r13328 searching for changes
no changes found
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741
Test server cert which isn't valid yet
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT1 -d --pid-file=hg1.pid --certificate=server-not-yet.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg1.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-not-yet.pem" \
> https://localhost:$HGPORT1/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT1/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Test server cert which no longer is valid
Jun Wu
tests: reorder hg serve commands...
 r28549 $ hg serve -R test -p $HGPORT2 -d --pid-file=hg2.pid --certificate=server-expired.pem
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 $ cat hg2.pid >> $DAEMON_PIDS
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ hg -R copy-pull pull --config web.cacerts="$CERTSDIR/pub-expired.pem" \
> https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
test-https: test web.cacerts functionality
 r12741 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314
Fingerprints
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 - works without cacerts (hostkeyfingerprints)
Gregory Szorc
tests: don't save host fingerprints in hgrc...
 r29263 $ hg -R copy-pull id https://localhost:$HGPORT/ --insecure --config hostfingerprints.localhost=91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 - works without cacerts (hostsecurity)
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca
5fed3813f7f5
$ hg -R copy-pull id https://localhost:$HGPORT/ --config hostsecurity.localhost:fingerprints=sha256:62:09:97:2f:97:60:e3:65:8f:12:5d:78:9e:35:a1:36:7a:65:4b:0e:9f:ac:db:c3:bc:6e:b6:a3:c0:16:e0:30
5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and first matches
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca, deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:914f1aff87249c09b6859b88b1906d30756491ca, sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and last matches
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, 914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 5fed3813f7f5
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:914f1aff87249c09b6859b88b1906d30756491ca' -R copy-pull id https://localhost:$HGPORT/
5fed3813f7f5
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 - multiple fingerprints specified and none match
Gregory Szorc
tests: use --insecure instead of web.cacerts=!...
 r28847 $ hg --config 'hostfingerprints.localhost=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/ --insecure
Gregory Szorc
sslutil: allow multiple fingerprints per host...
 r28525 abort: certificate for localhost has unexpected fingerprint 91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
(check hostfingerprint configuration)
[255]
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 $ hg --config 'hostsecurity.localhost:fingerprints=sha1:deadbeefdeadbeefdeadbeefdeadbeefdeadbeef, sha1:aeadbeefdeadbeefdeadbeefdeadbeefdeadbeef' -R copy-pull id https://localhost:$HGPORT/
Gregory Szorc
sslutil: print the fingerprint from the last hash used...
 r29293 abort: certificate for localhost has unexpected fingerprint sha1:91:4f:1a:ff:87:24:9c:09:b6:85:9b:88:b1:90:6d:30:75:64:91:ca
Gregory Szorc
sslutil: reference appropriate config section in messaging...
 r29268 (check hostsecurity configuration)
Gregory Szorc
sslutil: allow fingerprints to be specified in [hostsecurity]...
 r29267 [255]
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - fails when cert doesn't match hostname (port is ignored)
Gregory Szorc
tests: don't save host fingerprints in hgrc...
 r29263 $ hg -R copy-pull id https://localhost:$HGPORT1/ --config hostfingerprints.localhost=914f1aff87249c09b6859b88b1906d30756491ca
Matt Mackall
sslutil: more helpful fingerprint mismatch message...
 r15997 abort: certificate for localhost has unexpected fingerprint 28:ff:71:bf:65:31:14:23:ad:62:92:b4:0e:31:99:18:fc:83:e3:9b
(check hostfingerprint configuration)
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 [255]
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 - ignores that certificate doesn't match hostname
Gregory Szorc
tests: don't save host fingerprints in hgrc...
 r29263 $ hg -R copy-pull id https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
Mads Kiilerich
url: 'ssh known host'-like checking of fingerprints of HTTPS certificates...
 r13314 5fed3813f7f5
Mads Kiilerich
tests: test https through http proxy...
 r13423
Augie Fackler
test-https.t: stop using kill `cat $pidfile`
 r18588 HGPORT1 is reused below for tinyproxy tests. Kill that server.
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg1.pid
Matt Mackall
tests: fix startup/shutdown races in test-https...
 r16300
Mads Kiilerich
tests: test https through http proxy...
 r13423 Prepare for connecting through proxy
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ tinyproxy.py $HGPORT1 localhost >proxy.log </dev/null 2>&1 &
Mads Kiilerich
tests: use 'do sleep 0' instead of 'do true', also on first line of command...
 r16496 $ while [ ! -f proxy.pid ]; do sleep 0; done
Mads Kiilerich
tests: test https through http proxy...
 r13423 $ cat proxy.pid >> $DAEMON_PIDS
$ echo "[http_proxy]" >> copy-pull/.hg/hgrc
$ echo "always=True" >> copy-pull/.hg/hgrc
$ echo "[hostfingerprints]" >> copy-pull/.hg/hgrc
$ echo "localhost =" >> copy-pull/.hg/hgrc
Test unvalidated https through proxy
$ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull --insecure --traceback
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Gregory Szorc
sslutil: move and change warning when cert verification is disabled...
 r29289 warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
Mads Kiilerich
tests: test https through http proxy...
 r13423 searching for changes
no changes found
Test https with cacert and fingerprint through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub.pem"
Mads Kiilerich
tests: test https through http proxy...
 r13423 pulling from https://localhost:$HGPORT/
searching for changes
no changes found
Gregory Szorc
tests: don't save host fingerprints in hgrc...
 r29263 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull https://127.0.0.1:$HGPORT/ --config hostfingerprints.127.0.0.1=914f1aff87249c09b6859b88b1906d30756491ca
Mads Kiilerich
tests: test https through http proxy...
 r13423 pulling from https://127.0.0.1:$HGPORT/
searching for changes
no changes found
Test https with cert problems through proxy
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-other.pem"
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ http_proxy=http://localhost:$HGPORT1/ hg -R copy-pull pull \
> --config web.cacerts="$CERTSDIR/pub-expired.pem" https://localhost:$HGPORT2/
Thomas Arendsen Hein
pull: print "pulling from foo" before accessing the other repo...
 r24138 pulling from https://localhost:$HGPORT2/
Augie Fackler
test-https: glob error messages more so we pass on Python 2.7.9...
 r23823 abort: error: *certificate verify failed* (glob)
Mads Kiilerich
url: merge BetterHTTPS with httpsconnection to get some proxy https validation
 r13424 [255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
Matt Mackall
tests: drop explicit $TESTDIR from executables...
 r25472 $ killdaemons.py hg0.pid
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413
#if sslcontext
Start patched hgweb that requires client certificates:
$ cat << EOT > reqclientcert.py
> import ssl
> from mercurial.hgweb import server
> class _httprequesthandlersslclientcert(server._httprequesthandlerssl):
> @staticmethod
> def preparehttpserver(httpserver, ssl_cert):
> sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
> sslcontext.verify_mode = ssl.CERT_REQUIRED
> sslcontext.load_cert_chain(ssl_cert)
> # verify clients by server certificate
> sslcontext.load_verify_locations(ssl_cert)
> httpserver.socket = sslcontext.wrap_socket(httpserver.socket,
> server_side=True)
> server._httprequesthandlerssl = _httprequesthandlersslclientcert
> EOT
$ cd test
$ hg serve -p $HGPORT -d --pid-file=../hg0.pid --certificate=$PRIV \
> --config extensions.reqclientcert=../reqclientcert.py
$ cat ../hg0.pid >> $DAEMON_PIDS
$ cd ..
without client certificate:
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 abort: error: *handshake failure* (glob)
[255]
with client certificate:
$ cat << EOT >> $HGRCPATH
> [auth]
> l.prefix = localhost
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 > l.cert = $CERTSDIR/client-cert.pem
> l.key = $CERTSDIR/client-key.pem
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 > EOT
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
> --config auth.l.key="$CERTSDIR/client-key-decrypted.pem"
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 5fed3813f7f5
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ printf '1234\n' | env P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 > --config ui.interactive=True --config ui.nontty=True
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 passphrase for */client-key.pem: 5fed3813f7f5 (glob)
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415
Yuya Nishihara
tests: extract SSL certificates from test-https.t...
 r29331 $ env P="$CERTSDIR" hg id https://localhost:$HGPORT/
Yuya Nishihara
ssl: prompt passphrase of client key file via ui.getpass() (issue4648)...
 r25415 abort: error: * (glob)
[255]
Yuya Nishihara
test-https: test basic functions of client certificate authentication...
 r25413 #endif